Big credit and debit card retailer breaches keep on coming, making 2014 – by any yardstick – the year of the massive breach.
Which are the largest?
First, understand this: More huge breaches may already have occurred but have not yet been divulged. Randal Cox, CSO at fraud analytics firm Rippleshot, insisted in a CU Times interview that he knew of three big breaches that have not yet been announced.
How does he know?
Rippleshot, using big data analytics, tracks reported fraudulent uses of cards back to common points of compromise. The technique is similar to what proactive credit unions do when a breach is reported; they try to get an early jump on which member cards were used at a Target, for example.
With Rippleshot, the difference is the massive dataset, and instead of working from reports of possible breaches, the company seeks to find breaches before they are reported.
What has happened that allows these breaches? As far as the retailer breaches go, security experts heaped scorn on the systems that are in place.
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said, “There just was poor security at companies like Target and Home Depot. They simply did not see these kinds of attacks coming.”
“The incidents of the last year point out the flaws in our security mindset. We need to take this more seriously,” he added. “We need an entire reboot in terms of our thinking about information security.”
As for JPMorgan Chase, if the reports are right that the hackers made off with very limited information, much of it available in public records. Kujawa said that this might show that the bank successfully secured the sensitive data that mattered, and apparently kept some data in a more readily accessed compartment.
“This isn’t 15-year-olds who are hacking,” Sharon Vardi, CMO of Securonix said. “These are highly skilled, well funded professionals who are good at their work.”
Security responses have to be just as professional, because the criminals are only getting smarter and more persistent, he said.
“Breaches aren’t going away,” Vardi said. “They in fact just seem to be getting bigger.”
For now, anyway, are the 10 worst breach offenders this year.
P.F. Chang’s The restaurant operator said in June that some customer credit and debit card information had been compromised at 33 restaurants, dating back to October 2013. Full details still have not yet been revealed. In at least some restaurants, P.F. Chang ceased electronic processing of cards and reverted to using so-called “knuckle busters,” mechanical card presses.
Sally Beauty Supply. In March, the Texas-based beauty chain said it had been hacked by the same gang that hacked Target. In a statement, the company said, “We have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems.”
ACME Markets. Details about this breach, reported in late September, are sketchy. But Albertsons, the big food retailer that owns this regional, mid-Atlantic grocer, said that it discovered malicious software installed on networks that processed credit and debit cards at some of its stores. That software was believed to have been in place for around a month before discovery. Albertsons, in its statements, said it didn’t believe any customer data was stolen.
Michaels Stores. About 3 million customer debit and credit cards were acknowledged stolen by this crafts chain and a subsidiary, Aaron Brothers. In a statement, the company said, “After weeks of analysis, (Michaels stores and its subsidiary, Aaron Brothers), were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms” the company had retained to analyze what had gone wrong.
Goodwill Industries. The national, charitable resale organization announced in early September that card information at approximately 330 stores had been compromised. Some 868,000 payment cards were said to be involved in this breach, which occurred somewhere between Feb. 10, 2014 and Aug. 10, 2014.
Jimmy John’s. In September, the national sandwich shop disclosed that credit and debit card information collected at 216 locations across the nation had been breached. The company explained the incident this way: “An intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and Sept. 5, 2014.”
Neiman Marcus. A big, ugly breach at the luxury retailer apparently involved some 1.1 million card records. The company, in a statement, said, “We do know, and our forensic reports have confirmed, that malicious software (malware) was clandestinely installed on our system and that it attempted to collect or ‘scrape’ payment card data from July 16, 2013 to Oct. 30, 2013.”
After investigation, Neiman Marcus, by its count, said that the number of cards involved was smaller, in the vicinity of 350,000. The company also offered a number that is rarely disclosed: The count of cards that are known to have been used fraudulently. That number was 9,200, in a June statement signed by CEO Karen Katz.
The Home Depot.
About 56 million card records were hacked in this attack that is said to revolve around malware that was installed on cash register systems.
Target Corporation. Around 70 million holiday shoppers had their card data compromised late last year in the breach at Target
, the incident that kicked off the current wave of big breaches. In the aftermath, the CEO was fired, and breaches became a topic of continuing conversation among financial services executives.
JPMorgan Chase. The numbers just keep getting bigger regarding the summer breach at the trillion dollar bank
. The New York Times
reported that 76 million households and 7 million small businesses were involved. Exactly what the hackers made off with is not clear. Some reports suggests that credit and debit card information was not involved, that the hackers instead stole personal data such as addresses and phone numbers. More details will emerge shortly, and either way, this is looming as the biggest breach ever. And it occurred at an institution that was widely regarded to have exemplary security controls in place.